IT and Physical Security Management - Should they be Integrated?

An Australian friend of mine sent me this reference to a recent story of a sophisticated physical attack on point-of-sale terminals handling financial transactions. It’s not the first nor is it the last incident of its kind. But it’s not the type of attack we routinely encounter, because it requires a rare combination of knowledge, access and skills.

Of course one could argue that terminals handling sensitive data should always have the maximum degree of in-built, tamper-proof protection. But the best answer is to provide the right combination of physical and technical security protection. Which raises the question of how best to ensure an effective blend of IT and Physical Security. Should we consider integrating these very different functions? It’s becoming fashionable in some quarters. A few leading UK banks have opted to combine IT Security with Fraud or Physical Security. And more recently the UK Government Centre for Protection of National Infrastructure (CPNI) has decided to merge its IT and Physical Security advisory functions. Are they right? Should we follow suit?

I’ve worked in both the IT and Security functions of two different organizations, so I understand the context and issues reasonably well. IT and Physical Security are very different disciplines. Professional development is different, because the skills and knowledge required are different. You can’t put a technical expert straight into an investigation role. And you can’t ask a physical security expert to manage a firewall. But business units needs balanced, consistent advice from both areas of expertise. And increasingly so, with contemporary Identity Management solutions presenting opportunities for combining both IT and physical access management. And security investigations including a growing requirement for computer forensic support.

The advantage of combining these functions is that it provides a single point of consistent, authoritative and complete advice. It also creates synergies and technology transfers of hard-to-acquire experience and skills. The disadvantage is that it dilutes the presence and influence of IT Security within the IT or Business function. And it presents a major challenge for recruitment and professional development. Few practitioners have the skills and experience to cover both subject areas. A couple of recent headhunts to find top managers with combined skills have drawn blanks. It’s very tempting for an Executive Board to want a single point of advice. But thinking on your feet about a threat outside of your direct experience in a Boardroom situation is not to be recommended.

So should we or shouldn’t we attempt to combine these functions? In my view it makes sense to integrate such expertise for activities such as policy, audit and consultancy. It makes less sense for day-to-day business or IT decision-making. So in my book, CPNI are right, but I’m not convinced it’s appropriate for user organizations. But whatever logic one presents, in practice it’s always politics, perception and personal interests that determines the final shape of all organization structures. Plus of course that eternal, overriding business driver of headcount reduction.